CVE-2013-6272 : The NotificationBroadcastReceiver class in the com.android.phone process in Goog

The NotificationBroadcastReceiver class in the com.android.phone process in Google Android 4.1.1 through 4.4.2 allows attackers to bypass intended access restrictions and consequently make phone calls to arbitrary numbers, send mmi or ussd codes, or hangup ongoing calls via a crafted application.

Published 2018-05-02 15:29:01

Updated 2018-06-12 18:02:33

Source MITRE

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2013-6272

Google » Android
Versions from including (>=) 4.1.1 and up to, including, (<=) 4.4.2
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-6272

EPSS FAQ

0.18%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 37 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-6272

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2013-6272

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-6272

http://seclists.org/fulldisclosure/2014/Jul/13

Full Disclosure: Conduct phonecalls on Android without the necessary permission, advisory+testapplication+exploits for testing (CVE-2013-6272 and CVE-2014-N/A)
Exploit;Mailing List;Third Party Advisory
http://packetstormsecurity.com/files/127359/Android-OS-Authorization-Missing.html

Android OS Authorization Missing ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
http://www.securityfocus.com/bid/68415

Google Android CVE-2013-6272 Remote Security Bypass Vulnerability
Third Party Advisory;VDB Entry
https://curesec.com/blog/article/blog/35.html

CVE-2013-6272 com.android.phone - Cureblog
Exploit;Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/94423

Google Android NotificationBroadcastReceiver security bypass CVE-2013-6272 Vulnerability Report
VDB Entry;Third Party Advisory

Jump to

Vulnerability Details : CVE-2013-6272

Products affected by CVE-2013-6272

Exploit prediction scoring system (EPSS) score for CVE-2013-6272

CVSS scores for CVE-2013-6272

CWE ids for CVE-2013-6272

References for CVE-2013-6272